6d17ef161703adeb63bed1a59340dfa4
Jump to navigation
Jump to search
Identification
General information
- SHA256: 4131c4449dd1c0364d0f182225f5457acb7fe466cf03a314e1ac8cae24d672c0
- SHA1: f9bdb5d3d0b27020b38e8ca3d9598c30f6375cd3
- MD5: 6d17ef161703adeb63bed1a59340dfa4
- File size: 47.4 KB ( 48536 bytes )
- File name: AQSZDC.exe
- File type: Win32 EXE
- Tags: peexe signed
Detection
- Detection ratio: 22 / 47 (on 2013-09-05)
- Link to virustotal analysis
| Antivirus | Result | Update |
|---|---|---|
| AVG | Generic34.BPLO | 20130904 |
| BitDefender | Trojan.GenericKDV.1217763 | 20130905 |
| Commtouch | W32/Backdoor.AHNI-0007 | 20130905 |
| Comodo | TrojWare.Win32.Trojan.Agent.Gen | 20130905 |
| DrWeb | Trojan.DownLoader6.34128 | 20130905 |
| Emsisoft | Trojan.GenericKDV.1217763 (B) | 20130905 |
| ESET-NOD32 | Win32/Remtasu.S | 20130905 |
| F-Secure | Trojan.GenericKDV.1217763 | 20130905 |
| Fortinet | W32/Menti.ILO!tr | 20130905 |
| GData | Trojan.GenericKDV.1217763 | 20130905 |
| Jiangmin | Trojan/Refroso.vti | 20130903 |
| Kaspersky | Backdoor.Win32.Xtreme.addr | 20130905 |
| McAfee | Artemis!6D17EF161703 | 20130905 |
| McAfee-GW-Edition | Artemis!6D17EF161703 | 20130905 |
| MicroWorld-eScan | Trojan.GenericKDV.1217763 | 20130905 |
| NANO-Antivirus | Trojan.Win32.Xtreme.cesozs | 20130904 |
| Norman | Injector.DIRT | 20130905 |
| Panda | Trj/CI.A | 20130904 |
| Sophos | Mal/EncPk-NST | 20130905 |
| Symantec | WS.Reputation.1 | 20130905 |
| TrendMicro-HouseCall | TROJ_GEN.F47V0829 | 20130905 |
| VIPRE | Trojan.Win32.Generic!BT | 20130905 |
Behavior
Key, Mouse, Clipboard, Microphone and Screen Caputering
- Installs a global keyboard hook
File activities
- Source: iexplore.exe:
- file:///c:/documents%20and%20settings/all%20users/start%20menu/programs/startup/jbxinitvm.a
- file:///c:/jbxinitvm.a
- Creates a copy in
- C:\Documents and Settings\Administrator\Application Data\AQSZEDFRTG\AQSZDC.exe
Networking
URLs
- http://bibilomp.servemp3.com:2012/1234567890.functions (Source: iexplore.exe)
- http://moimoi.falayar10.eu:2011/1234567890.functions (Source: iexplore.exe)
- http://cacerts.digicert.com/digicertassuredidcodesigningca-1.cr (Source: svchost.exe)
- http://cacerts.digicert.com/digicertassuredidcodesigningca-1.crt0 (Source: AQSZDC.exe)
- http://cacerts.digicert.com/digicertassuredidrootca.cr (Source: svchost.exe)
- http://cacerts.digicert.com/digicertassuredidrootca.crt0 (Source: AQSZDC.exe)
- http://crl3.digicert.com/assured-cs-2011a.crl (Source: svchost.exe)
- http://crl3.digicert.com/assured-cs-2011a.crl03 (Source: AQSZDC.exe)
- http://crl3.digicert.com/digicertassuredidrootca.crl (Source: svchost.exe)
- http://crl3.digicert.com/digicertassuredidrootca.crl0: (Source: AQSZDC.exe)
- http://crl4.digicert.com/assured-cs-2011a.cr (Source: svchost.exe)
- http://crl4.digicert.com/assured-cs-2011a.crl0 (Source: AQSZDC.exe)
- http://crl4.digicert.com/digicertassuredidrootca.cr (Source: svchost.exe)
- http://crl4.digicert.com/digicertassuredidrootca.crl0 (Source: AQSZDC.exe)
- http://ocsp.digicert.com (Source: svchost.exe)
- http://ocsp.digicert.com0c (Source: AQSZDC.exe)
- http://ocsp.digicert.com0l (Source: AQSZDC.exe)
- http://www.digicert.com/ssl-cps-repository.ht (Source: svchost.exe)
- http://www.digicert.com/ssl-cps-repository.htm0 (Source: AQSZDC.exe)
Frequency
Very regular HTTP traffic to:
- http://bibilomp.servemp3.com:2012/1234567890.functions
- http://moimoi.falayar10.eu:2011/1234567890.functions
Process
Spawns processes:
- AQSZDC.exe (PID: 456 MD5: 6D17EF161703ADEB63BED1A59340DFA4)
- AQSZDC.exe (PID: 1336 MD5: 6D17EF161703ADEB63BED1A59340DFA4)
- svchost.exe (PID: 1280 MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18)
- iexplore.exe (PID: 456 MD5: B60DDDD2D63CE41CB8C487FCFBB6419E)
- explorer.exe (PID: 1948 MD5: 12896823FB95BFB3DC9B46BCAEDC9923)
- AQSZDC.exe (PID: 1336 MD5: 6D17EF161703ADEB63BED1A59340DFA4)
Persistence
- Creates an autostart registry key:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run QWXDRFGTT (seems to be randomly generated. Also seen AQSZEDFRTG)
- Creates an undocumented autostart registry key
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7541A31G-F31E-BY1V-EBFN-F4YWN6RB18R6} StubPath
Obfuscation
- Entry point lies outside standard sections
- PE file contains sections with non-standard names:
Sections:
Idx Name Size VMA LMA File off Algn
0 juiko 00001dc8 00401000 00401000 00000400 2**4
CONTENTS, ALLOC, LOAD, READONLY, CODE, DATA
1 gtyhu 00000010 00403000 00403000 00002200 2**2
CONTENTS, ALLOC, LOAD, DATA
2 ujhgtf 000001e0 00404000 00404000 00002400 2**5
CONTENTS, ALLOC, LOAD, READONLY, DATA
3 azaz 00000150 00405000 00405000 00000000 2**3
ALLOC
4 ererer 00000344 00406000 00406000 00002600 2**2
CONTENTS, ALLOC, LOAD, DATA
5 .rsrc 00002a24 00407000 00407000 00002a00 2**2
CONTENTS, ALLOC, LOAD, DATA
- PE sections with suspicious entropy found
Mutex
Creates mutexes:
- \BaseNamedObjects\NWH6cPERSIST (Source: C:\WINDOWS\system32\svchost.exe)
- \BaseNamedObjects\NWH6c (Source: C:\Program Files\Internet Explorer\iexplore.exe)
- \BaseNamedObjects\NWH6cEXIT (Source: C:\WINDOWS\system32\svchost.exe)
- \BaseNamedObjects\XTREMEUPDATE (Source: C:\AQSZDC.exe)
Analysis
strings
ntdll libgcj_s.dll egisterClasSes m4645 Dqsaazere SetThreadContext ResumeThread ../../runtime/pseudo-reloc.c VirtualQuery (addr, &b, sizeof(b)) ../../../../gcc-4.4.1/libgcc/../gcc/config/i386/ ygming-shared-data.c 0 && "Couldn't retrieve name of GCClib shared data atom" ret->size == sizeof(__cygming_shared) && "GCClib shared data size mismatch" 0 && "Couldn't add GCClib shared data atom" -GCCLIBCYGMING-EH-TDM1-SJLJ-GTHR-MINGW32 AddAtomA ExitProcess FindAtomA GetAtomNameA GetModuleHandleA GetProcAddress OpenProcess SetUnhandledExceptionFilter VirtualProtect VirtualQuery __getmainargs __p__environ __p__fmode __set_app_type _assert _cexit _iob _onexit _setmode abort atexit free malloc memcpy signal MessageBoxA KERNEL32 dll. msvcrt.dll USER32.dll
Links
- Virustotal: https://www.virustotal.com/fr/file/4131c4449dd1c0364d0f182225f5457acb7fe466cf03a314e1ac8cae24d672c0/analysis/1378378389/
- Download: https://www.dropbox.com/s/1cojr83v61kglxx/6d17ef161703adeb63bed1a59340dfa4-AQSZDC.exe.zip (pass: infected)
Comments
Keywords: 6d17ef161703adeb63bed1a59340dfa4